2015年5月13日 星期三

[Linux 文章收集] How to capture and replay network traffic on Linux

Source From HerePreface
When you are testing or debugging middlebox hardware such as routers, switches, or IDS/IPS, it is extremely useful to perform the testing with reproducible network traffic. Using repeatable traffic minimizes any kind of uncertainty in the testing environment, thereby making testing results easier to interprete and analyze. In Linux, there is a suites of command-line utilities called tcpreplay which can replay captured network traffic.

In this tutorial, I will show you how to capture live network traffic, and replay the captured network traffic elsewhere by using tcpreplay, tcpdump andtcprewrite.

The next step is to capture live network traffic, and dump it to a pcap file. To do so, run tcpdump command as follows. I assume that eth0 is the sniffing interface which is set to promiscuous mode:

#tcpdump -w dump.pcap -i eth0

Rewrite Packets in Traffic Dump
Next, rewrite packets captured in a pcap file, so that we can replay them between a pair of any two arbitrary hosts (different from the original traffic source and sink). Run a series of the following commands to perform such packet rewriting.

2. To cache a pcap file in RAM after the first time, so that subsequent loops do not incur disk I/O latency:

#tcpreplay --loop=100 --enable-file-cache --intf1=eth0 final.pcap

3. To replay traffic five times as fast as the original traffic was captured

#tcpreplay --multiplier=5.0 --intf1=eth0 final.pcap

4. To replay traffic at a rate of 10Mbps:

#tcpreplay --mbps=10.0 --intf1=eth0 final.pcap

5. To replay traffic at 100 packets per second:

#tcpreplay --pps=100 --intf1=eth0 final.pcap

6. To replay traffic in infinite loops or until CTRL-C is pressed:

#tcpreplay --loop=0 --intf1=eth0 final.pcap

7. Replay traffic as quickly as possible:

#tcpreplay --topspeed --intf1=eth0 final.pcap

Summary
In this tutorial, I demonstrated how to modify packet traces in a systematic way using tcprewrite, and inject them on to the network with tcpreplay. Combined withother pcap manipulation tools, they will give you an effective means to do various network testing and troubleshooting in a more controlled environment.